Loading in 2 Seconds...
Loading in 2 Seconds...
TRICARE Management Activity. HEALTH AFFAIRS. TRICARE Health Insurance Portability & Accountability Act (HIPAA) Project. HIPAA Privacy - Briefing for Line Leadership. TMA HIPAA Office October 2002. Objectives. Provide a general overview of the HIPAA legislation
HEALTH AFFAIRSTRICARE Health Insurance Portability & Accountability Act (HIPAA) Project
Briefing for Line Leadership
TMA HIPAA Office
Compliance within two years of effective dates of final rules
HIPAA under PL 104-191 requires compliance with several standards, including:
Final Rule Published: August 2002
Rule Effective: April 14, 2001
Compliance Date: April 14, 2003
The DoD HIPAA Privacy regulation preempts state law except:
IIHI - Individually Identifiable Health Information
PHI - Protected Health Information
TPO - Treatment, Payment and Healthcare Operations
Treatment - provision, coordination, consultation and referral
Payment - billing, reimbursement, eligibility, utilization review
Healthcare Operations - QA, credentialing, legal, medical review, auditing, and regular business and management
Use - Internal utilization or sharing IIHI
Disclosure - External release of IIHI
Who? Covered entities (CEs)
What? Protected Health Information (PHI)
Patients have a right to:
A written notice of information practices from health plans and providers
Request to access, inspect and obtain a copy of their protected health information
Request an accounting of disclosures
Request amendment or correction of their records
Request restrictions on uses and disclosures (authorizations)
Accommodation of reasonable communications requests
Complain to the covered entity and to HHS
MHS-wide notice developed
Release to MTFs in December 2002
Distribution to beneficiaries
Mail to home addresses
TRICARE & MTF websites
Centralized electronic tracking of acknowledgement
For the permitted uses and disclosures listed below, a patient’s opportunity to agree or object is not required.
A covered entity may use or disclose PHI to the extent that such use/disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law.
PHI may be disclosed to the extent necessary to comply with workers’ compensation laws or other similar laws that provide benefits for work-related injuries or illness without regard to fault.
Definition: “A person or entity who provides certain functions, activities, or services for or to a covered entity, involving the use and/or disclosure of protected health information.”
Cannot be a member of the health care provider, health plan, or other covered entity's workforce.
Can be a health care provider, health plan, or another covered entity
Excludes covered entities who disclose protected health information to providers for treatment purposes
MHS/MTFs must obtain “satisfactory assurance” that business associates will reasonably safeguard disclosed information and only use the information for the purposes for which the business associate was engaged.
Memorandums of Understanding (MOUs)
Dept of Veterans Affairs
Dept of Transportation/Coast Guard
DoD Medical Privacy Regulation
MCSC contract modification
MHS/MTFs are not required to monitor or oversee the means by which their business associates carry out privacy safeguards. However, if a material violation of the contract is discovered, the violation must be cured or the contract terminated.
MTF Information Papers
Authorization form template
Updated PO training materials (CD content)